CVE-2025-43744: 
Java vulnerability analysis and mitigation

CVE-2025-43744 is a stored DOM-based Cross-Site Scripting (XSS) vulnerability discovered in Liferay Portal and Liferay DXP, specifically affecting the Asset Publisher configuration UI within the Source.js module. The vulnerability was disclosed on August 15, 2025, and affects multiple versions of Liferay Portal (7.4.0 through 7.4.3.132) and Liferay DXP (various versions from 2024.Q1 through 2025.Q2) (Liferay Advisory).

The vulnerability exists in the Asset Publisher configuration UI within the Source.js module, where attackers can inject arbitrary JavaScript via DDM structure field labels. The vulnerability occurs when these labels are inserted into the DOM using innerHTML without proper encoding. The severity has been assessed with a CVSS v4.0 score of 5.1 (MEDIUM), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N (Liferay Advisory).

The vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' browsers who access the affected Asset Publisher configuration UI. This can lead to potential data theft, session hijacking, or other malicious actions performed in the context of the affected user's session (NVD).

The vulnerability has been fixed in multiple versions including Liferay Portal master branch, Liferay DXP 2025.Q2.6, and Liferay DXP 2025.Q1.16. Users are advised to upgrade to these fixed versions to mitigate the vulnerability (Liferay Advisory).